CVE-2026-25113 identifies a vulnerability in the WebSocket API of SWITCH EV's swtchenergy.com platform, where there is an improper restriction of excessive authentication attempts (CWE-307). The WebSocket interface does not enforce rate limiting on authentication requests, which means an attacker can flood the system with authentication attempts without restriction. This flaw enables two primary attack vectors: denial-of-service (DoS) attacks and brute-force attacks. In a DoS scenario, attackers can overwhelm the system, suppressing or misrouting legitimate telemetry data from EV chargers, thereby disrupting normal operations and potentially causing outages or degraded service. In brute-force attacks, the lack of rate limiting allows attackers to repeatedly attempt authentication without lockout or throttling, increasing the likelihood of unauthorized access. The vulnerability affects all versions of the product, requires no privileges or user interaction, and can be exploited remotely over the network. The CVSS v3.1 score of 7.5 (high) reflects the network attack vector, low attack complexity, no privileges required, no user interaction, and a significant impact on availability. Although no exploits have been reported in the wild yet, the vulnerability poses a serious risk to the availability and security of SWITCH EV's charging infrastructure. The absence of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps by users and administrators.

The primary impact of this vulnerability is on the availability of SWITCH EV's charging services, as attackers can launch denial-of-service attacks that disrupt legitimate telemetry data flow, potentially causing charger outages or mismanagement. This disruption can affect electric vehicle users relying on these chargers, leading to operational downtime and customer dissatisfaction. Additionally, the vulnerability enables brute-force attacks that could lead to unauthorized access if credentials are weak or reused, potentially compromising system integrity and confidentiality. For organizations operating or managing EV charging infrastructure, this could translate into service interruptions, loss of trust, and potential regulatory or compliance issues related to service availability and security. The broad impact is heightened by the fact that all versions are affected and no authentication or user interaction is required to exploit the flaw, making it accessible to remote attackers. The lack of known exploits currently reduces immediate risk but does not diminish the potential for future attacks. Overall, the vulnerability threatens critical infrastructure availability and security in the growing electric vehicle ecosystem.

To mitigate this vulnerability, SWITCH EV and affected organizations should implement strict rate limiting on authentication requests at the WebSocket API level to prevent excessive attempts from a single source. This can include setting thresholds for failed authentication attempts, introducing exponential backoff delays, and temporarily blocking IP addresses exhibiting suspicious behavior. Additionally, implementing multi-factor authentication (MFA) can reduce the risk of unauthorized access through brute-force attacks. Monitoring and logging authentication attempts in real-time can help detect and respond to attack patterns promptly. Network-level protections such as Web Application Firewalls (WAFs) configured to detect and block abnormal WebSocket traffic can provide an additional layer of defense. Organizations should also enforce strong password policies and consider credential hygiene practices to minimize brute-force success. Until an official patch is released, these compensating controls are critical. Finally, maintaining up-to-date threat intelligence and preparing incident response plans specific to EV infrastructure attacks will enhance resilience against exploitation.